Hi Robert,

there are some Forge Component for OpenID and OAuth flows that can act as a good example. In the end even the code grant flow is quite simple.

You construct the authentication url. that is

https://<Authorization endpoint URL>?response_type=code&client_id=<your app client id>&redirect_uri=https://<outsystemsenv/mycoolapp/callback&scope=<scopes delimited by comma>

client_id: This one you receive when registering your app

redirect_uri: url encoded Url to your callback screen. Must be registered with the application

scope: depends on your service. should be stated somewhere what scopes are supported

Now you take the complete url and redirect the user to that page. The user should now be asked to authenticate and -dependent on the scope- to give consent to data access.

The authorization page now redirects the user back to the given redirect_uri. For this you should have a screen in your application accepting code as input parameter (there could be some more dependant on the implementation of your service).

Using the code you need to make a POST request to the token endpoint of your service (something like oauth/token). In you application consume this REST endpoint as POST Request (form url encoded). In the Post request use grant_type=authorization_code&code={Code}

Potentially there are some more options you need to specify. It may also be necessary to include an Authorization header to your request. Something like BASIC <Base64 encoded Client ID:Client Secret>

If the POST succeeds you get an access token, access token expiration and a refresh token. You add the access code to all subsequent api calls as Authorization Bearer <your access token>.

Best

Stefan